Audit of Business Continuity Planning

Save this PDF as:

Size: px
Start display at page:

Download "Audit of Business Continuity Planning"

Transcription

1 Cumbria Office of the Police & Crime Commissioner Audit of Business Continuity Planning 0 Cumbria Shared Internal Audit Service Images courtesy of Carlisle City Council except: Parks (Chinese Gardens), Monument (Market Cross), Jason Friend, The Courts (Citadel), Jonathan Becker 13 April May 2015 Page 1

2 Audit Resources Title Name Telephone Audit Manager Emma Toyne Lead Auditor(s) Diane Lowry Audit Report Distribution For Action: For Information: Joanne Head (Governance and Business Services Manager) Linda McGinley (Engagement and Communications Officer) Stuart Edwards (Chief Executive) Audit Committee The Joint Audit & Standards Committee, which is due to be held on 23 June 2015 will receive the report. Note: Audit reports should not be circulated wider than the above distribution without the consent of the Audit Manager. 1 Cumbria Shared Internal Audit Service Images courtesy of Carlisle City Council except: Parks (Chinese Gardens), Monument (Market Cross), Jason Friend, The Courts (Citadel), Jonathan Becker Page 1

3 Executive Summary COPCC Audit of Business Continuity Planning 1. Background 1.1. This report summarises the findings from the audit of Cumbria Office of the Police and Crime Commissioner (COPCC) Business Continuity Planning. This was a planned audit assignment which was undertaken in accordance with the 2014/15 Audit Plan Business continuity planning is the process of planning for possibly unexpected, but nevertheless, foreseeable, events. Business continuity planning is important as it provides the COPCC with ways to minimise the effects of unexpected disruptions or emergencies as well as planning a return to normality as soon as practicable The Police and Crime Commissioner has a statutory responsibility for holding the Chief Constable to account and good practice would include ensuring that adequate and effective business continuity arrangements are in place within the Constabulary. 2. Audit Approach 2.1. Audit Objectives and Methodology Compliance with the mandatory Public Sector Internal Audit Standards requires that internal audit activity evaluates the exposures to risks relating to the organisation s governance, operations and information systems. A risk based audit approach has been applied which aligns to the five key audit control objectives which are outlined in section 4; detailed findings and recommendations are reported within section 5 of this report Audit Scope and Limitations The Audit Scope was agreed with management prior to the commencement of this audit review. The Client Sponsor for this review was the Governance and Business Services Manager and the agreed scope areas for consideration were identified as follows: Roles and responsibilities for business continuity planning and management; Adequacy and effectiveness of business continuity plans; Arrangements for testing of and training on plans; Ensuring continuity of service when staff roles and responsibilities change or people leave the organisation Arrangements for ensuring effective use of technology and; Arrangements for holding the Constabulary to account. 2 Cumbria Shared Internal Audit Service: Internal Audit Report Page 2

4 Executive Summary COPCC Audit of Business Continuity Planning The business continuity plan was in the process of being developed during the audit review so the scope of the audit focussed on the arrangements for the preparation and implementation of the plan. 3. Assurance Opinion 3.1. Each audit review is given an assurance opinion and these are intended to assist Members and Officers in their assessment of the overall level of control and potential impact of any identified system weaknesses. There are 4 levels of assurance opinion which may be applied. The definition for each level is explained in Appendix A The OPCC has recognised that this is an area that needs to be addressed and has allocated resources to creating a business continuity plan and work is now underway on this. However, there is a lack of a corporately agreed approach and the organisation has not yet defined its business continuity arrangements, we have therefore concluded that, from the areas examined and tested as part of this audit review, we consider the current controls operating within business continuity planning provide Limited assurance. Note: as audit work is restricted by the areas identified in the Audit Scope and is primarily sample based, full coverage of the system and complete assurance cannot be given to an audit area. 4. Summary of Recommendations, Audit Findings and Report Distribution 4.1. There are three levels of audit recommendation; the definition for each level is explained in Appendix B There are five audit recommendations are arising from this audit review and these can be summarised as follows: No. of recommendations Control Objective High Medium Advisory 1. Management - achievement of the organisation s strategic objectives achieved (see section 5.1.) Cumbria Shared Internal Audit Service: Internal Audit Report Page 3 3

5 COPCC Audit of Business Continuity Planning 2. Regulatory - compliance with laws, regulations, policies, procedures and contracts (see section 5.2.) Information - reliability and integrity of financial and operational information Security - safeguarding of assets Value - effectiveness and efficiency of operations and programmes Total Number of Recommendations Areas for development: Improvements in the following areas are necessary in order to strengthen existing control arrangements: High priority issues: There is a need for a defined approach to business continuity planning within the Commissioner s Office and a business continuity policy should be established. Governance and management oversight of the preparation of the business continuity plan should be defined and documented to ensure that the plan is appropriate to the needs of the organisation and is appropriately signed off at senior management level. The organisation should define its business continuity requirements to ensure that the plan is developed in line with the organisation s business continuity needs. Documented and tested business continuity plans need to be in place to ensure that the organisation is complying with its own Financial Regulations which place a responsibility on Chief Officers to maintain appropriate business continuity plans Medium priority issues: Arrangements for the Commissioner to receive assurance over the Constabulary s business continuity plans need to be formalised Advisory issues: No advisory issues were identified Cumbria Shared Internal Audit Service: Internal Audit Report Page 4 4

6 COPCC Audit of Business Continuity Planning Comment from the Chief Finance Officer / Deputy Chief Executive The OPCC recognises that further work is needed to formally document and consolidate the arrangements for business continuity and this is being given priority over the next few months. Whilst there is a clear need to complete and formally test an OPCC corporate business continuity plan, operational arrangements (off site contact records, remote ICT access, finance service BCP including critical finance activities) are in place to facilitate key activities in the event of a business continuity incident arising during this time. Cumbria Shared Internal Audit Service: Internal Audit Report Page 5 5

7 Management Action Plan COPCC Audit of Business Continuity Planning 5. Matters Arising / Agreed Action Plan 5.1. Management - achievement of the organisation s strategic objectives. Medium priority Audit finding (a) Assurance from the Constabulary The Police and Crime Commissioner is accountable under the Police Reform and Social Responsibility Act 2011 for securing an effective and efficient police force for Cumbria. Whilst there are no specific requirements on the Commissioner to receive assurance over the Constabulary s Business Continuity Planning arrangements, good practice would include assurance over this area. At the time of the audit, discussions were underway between the Governance and Business Services Manager, the Engagement and Communications Officer and the Temporary Superintendent (Operations) to determine the best method for implementing this process. We consider that the OPCC should define its assurance requirements in relation to business continuity and then work with the Constabulary to establish how these will be delivered. Management response Agreed management action: We will define the requirements of the Commissioner to ensure appropriate arrangements are in place. The Engagement and Communications Officer will meet with the Temporary Superintendent Operations to set out our requirements. The outcome will be reported to the Commissioner at the Executive Board in August. Recommendation 1: The Commissioner s office should set out its business continuity plan assurance requirements from the Chief Constable and work with the Constabulary to ensure there are appropriate arrangements in place for these to be met. Risk exposure if not addressed: Failure to respond appropriately to a significant business continuity incident. Reputational damage if business continuity arrangements fail. Responsible manager for implementing: Engagement and Communications Officer Date to be implemented: End September 2015 Cumbria Shared Internal Audit Service: Internal Audit Report Page 6 6

8 COPCC Audit of Business Continuity Planning High priority Audit finding (b) Arrangements for the preparation of the business continuity plan Effective business continuity management relies on the organisation being clear about its business continuity requirements and establishing appropriate policies and strategies for business continuity. At present the OPCC does not have these in place, resulting in a business continuity plan being created in isolation and without regard for the organisation s requirements. We recommend that the organisation defines its business continuity requirements through a policy and strategy and that the plan is then prepared on this basis. The draft business continuity plan, being prepared at the time of the audit, appears to adopt the model used by the Constabulary. This may not be the most appropriate approach for the Commissioner s office where legislative requirements are less prescriptive and the organisation is much smaller. Management response Agreed management action: Recommendation 2: We will codify the existing documentation to illustrate the OPCC s approach and will include some elements of recommendation 4 within this document. Recommendation 3: We will define our requirements within the overarching document above. Recommendation 2: The OPCC s approach to business continuity planning should be defined and a policy and strategy based on this. Recommendation 3 The OPCC s business continuity requirements should be defined by management prior to the plan being prepared. Risk exposure if not addressed: Business continuity arrangements are not adequate because the organisation has not defined its requirements. Business continuity arrangements may be excessive for the size of the organisation without the organisation having defined its requirements. Responsible manager for implementing: Engagement and Communications Officer Date to be implemented: End July 2015 Cumbria Shared Internal Audit Service: Internal Audit Report Page 7 7

9 COPCC Audit of Business Continuity Planning High priority Audit finding (c) Draft business continuity plan The OPCC s draft business continuity plan evolved during the period the audit took place. There are currently no approved arrangements for preparing the business continuity plan. Roles and responsibilities for preparation of the plan have not been clearly defined and there are no monitoring arrangements in place to ensure that a plan is prepared and implemented on time and to a defined specification. Arrangements for sign off have not been formally documented, although we were informed that the arrangements for approval are sign-off by the Executive Team prior to final approval by the Commissioner. Management response This will be incorporated within the document detailed in recommendation 2 and will include: A high level project plan with timeline stating what will be delivered and when; Sign-off and reporting arrangements. Whilst we recognise that a business continuity plan completion and implementation activity timeline has been prepared we consider that the arrangements for management oversight of the development of the plan(s) should be defined and documented to ensure that plans are developed in line with agreed timescales and organisational requirements. Recommendation 4: Once a policy and strategy and organisational requirements have been defined, we recommend that a project plan is implemented for the development of business continuity plan(s) within the OPCC with clearly defined reporting and sign-off arrangements. Risk exposure if not addressed: Business continuity arrangements are ineffective because appropriate governance arrangements are not in place. Responsible manager for implementing: Engagement and Communications Officer Date to be implemented: End July 2015 Cumbria Shared Internal Audit Service: Internal Audit Report Page 8 8

10 COPCC Audit of Business Continuity Planning 5.2 Regulatory - compliance with laws, regulations, policies, procedures and contracts High priority Audit finding (d) Compliance with Financial Regulations Management response Completing actions 1 to 4 will address this. The OPCC s Financial Regulations place a responsibility on Chief Officers to ensure that appropriate business continuity plans are developed, implemented and tested on a regular basis. Without business continuity plans in place, the organisation is not complying with its own Financial Procedure Rules. The OPCC s Chief Finance Officer has input to the financial services business continuity arrangements which cover part of the overall business continuity arrangements. Recommendation 5: Arrangements should be introduced to give the OPCC assurance that the requirements of the Financial Regulations in relation to Business Continuity Planning are being complied with. Risk exposure if not addressed: Non-compliance with internal rules and regulations. Responsible manager for implementing: Chief Executive Date to be implemented: End September 2015 Cumbria Shared Internal Audit Service: Internal Audit Report Page 9 9

11 Appendix A Audit Assurance Opinions There are four levels of assurance used; these are defined as follows: Substantial Reasonable Partial Limited / None Definition: There is a sound system of internal control designed to achieve the system objectives and this minimises risk. There is a reasonable system of internal control in place which should ensure that system objectives are generally achieved, but some issues have been raised which may result in a degree of risk exposure beyond that which is considered acceptable. The system of internal control designed to achieve the system objectives is not sufficient. Some areas are satisfactory but there are an unacceptable number of weaknesses which have been identified and the level of non-compliance and / or weaknesses in the system of internal control puts the system objectives at risk. Fundamental weaknesses have been identified in the system of internal control resulting in the control environment being unacceptably weak and this exposes the system objectives to an unacceptable level of risk. Rating Reason The controls tested are being consistently applied and no weaknesses were identified. Recommendations, if any, are of an advisory nature in context of the systems and operating controls & management of risks. Generally good systems of internal control are found to be in place but there are some areas where controls are not effectively applied and/or not sufficiently developed. Recommendations are no greater than medium priority. There is an unsatisfactory level of internal control in place as controls are not being operated effectively and consistently; this is likely to be evidenced by a significant level of error being identified. Recommendations may include high and medium priority matters for address. Significant non-compliance with basic controls which leaves the system open to error and/or abuse. Control is generally weak/does not exist. Recommendations will include high priority matters for address. Some medium priority matters may also be present. Cumbria Shared Internal Audit Service: Internal Audit Report Page 10 10

12 Appendix B Grading of Audit Recommendations Audit recommendations are graded in terms of their priority and risk exposure if the issue identified was to remain unaddressed. There are three levels of audit recommendations used; high, medium and advisory, the definitions of which are explained below. Definition: High Significant risk exposure identified arising from a fundamental weakness in the system of internal control Medium Some risk exposure identified from a weakness in the system of internal control Advisory Minor risk exposure / suggested improvement to enhance the system of control Recommendation Follow Up Arrangements: High priority recommendations will be formally followed up by Internal Audit and reported within the defined follow up timescales. This follow up work may include additional audit verification and testing to ensure the agreed actions have been effectively implemented. Medium priority recommendations will be followed with the responsible officer within the defined timescales. Advisory issues are for management consideration. Cumbria Shared Internal Audit Service: Internal Audit Report Page 11 11

Cumbria Constabulary. Business Continuity Planning

Cumbria Constabulary. Business Continuity Planning Cumbria Constabulary Business Continuity Planning 0 Cumbria Shared Internal Audit Service Images courtesy of Carlisle City Council except: Parks (Chinese Gardens), www.sjstudios.co.uk, Monument (Market

More information

Cumbria Constabulary. Audit of Budget Management (Payroll)

Cumbria Constabulary. Audit of Budget Management (Payroll) Cumbria Constabulary Audit of Budget Management (Payroll) 0 Cumbria Shared Internal Audit Service Images courtesy of Carlisle City Council except: Parks (Chinese Gardens), www.sjstudios.co.uk, Monument

More information

Audit Report for South Lakeland District Council. People and Places Directorate Neighbourhood Services. Audit of Grounds Maintenance

Audit Report for South Lakeland District Council. People and Places Directorate Neighbourhood Services. Audit of Grounds Maintenance Audit Report for South Lakeland District Council People and Places Directorate Neighbourhood Services Audit of Grounds Maintenance Cumbria Shared Internal Audit Service: Internal Audit Report 7 th November

More information

Joint Audit Report for South Lakeland District Council. & Eden District Council

Joint Audit Report for South Lakeland District Council. & Eden District Council Joint Audit Report for South Lakeland District Council & Eden District Council Audit of IT Data Backup and Recovery Arrangements Audit of Development Management 22nd May 2015 11 th June 2015 0 Page 0 Audit

More information

Note the Chief Internal Auditor s findings to date and gain assurance from Officers that key issues raised are being addressed.

Note the Chief Internal Auditor s findings to date and gain assurance from Officers that key issues raised are being addressed. Agenda Item No: 9 To: Joint Audit Committee Date: 24 September 2014 By: Chief Internal Auditor Title: Internal Audit Update Report 2014-15 Purpose of Report: The purpose of this report is to give an opinion

More information

Business Continuity Management Policy

Business Continuity Management Policy Governance: Business Committee Policy Owner: Chief Superintendent, Corporate Services Department: Corporate Services Policy Number: 002 Version: 3.0 Policy Writer: Business Continuity Co-ordinator Effective

More information

Senate. SEN15-P17 11 March 2015. Paper Title: Enhancing Information Governance at Loughborough University

Senate. SEN15-P17 11 March 2015. Paper Title: Enhancing Information Governance at Loughborough University SEN15-P17 11 March 2015 Senate Paper Title: Enhancing Information Governance at Loughborough University Author: Information Technology & Governance Committee 1. Specific Decision Required by Committee

More information

Business Continuity Management

Business Continuity Management Business Continuity Management Standard Operating Procedure Notice: This document has been made available through the Police Service of Scotland Freedom of Information Publication Scheme. It should not

More information

Information Governance Strategy and Policy. OFFICIAL Ownership: Information Governance Group Date Issued: 15/01/2015 Version: 2.

Information Governance Strategy and Policy. OFFICIAL Ownership: Information Governance Group Date Issued: 15/01/2015 Version: 2. Information Governance Strategy and Policy Ownership: Information Governance Group Date Issued: 15/01/2015 Version: 2.0 Status: Final Revision and Signoff Sheet Change Record Date Author Version Comments

More information

The University s responsibilities and its arrangements for internal audit Internal audit protocol 2014/15 to 2016/17

The University s responsibilities and its arrangements for internal audit Internal audit protocol 2014/15 to 2016/17 The University s responsibilities and its arrangements for internal audit Internal audit protocol 2014/15 to 2016/17 Summary This paper sets out the University s current obligations and arrangements for

More information

NHS DORSET CLINICAL COMMISSIONING GROUP GOVERNING BODY INFORMATION GOVERNANCE TOOLKIT REPORT

NHS DORSET CLINICAL COMMISSIONING GROUP GOVERNING BODY INFORMATION GOVERNANCE TOOLKIT REPORT NHS DORSET CLINICAL COMMISSIONING GROUP GOVERNING BODY INFORMATION GOVERNANCE TOOLKIT REPORT 9.7 Date of the meeting 15/07/2015 Author Sponsoring Clinician Purpose of Report Recommendation J Green - Head

More information

West Dunbartonshire Council. Follow-up data protection audit report

West Dunbartonshire Council. Follow-up data protection audit report West Dunbartonshire Council Follow-up data protection audit report Auditors: Lee Taylor (Audit Team Manager) Jonathan Kay (Engagement Lead Auditor) Data controller contacts: Michael Butler (Data Protection/Information

More information

Information Commissioner's Office

Information Commissioner's Office Information Commissioner's Office Internal Audit 2013-14: Follow up Last updated 4 July 2014 Distribution For action Senior Corporate Governance Manager Timetable Fieldwork completed 21 May 2014 Draft

More information

1.0 Policy Statement / Intentions (FOIA - Open)

1.0 Policy Statement / Intentions (FOIA - Open) Force Policy & Procedure Reference Number Business Continuity Management D269 Policy Version Date 23 July 2015 Review Date 23 July 2016 Policy Ownership Portfolio Holder Links or overlaps with other policies

More information

Business Continuity (Policy & Procedure)

Business Continuity (Policy & Procedure) Business Continuity (Policy & Procedure) Publication Scheme Y/N Can be published on Force Website Department of Origin Force Operations Policy Holder Ch Supt Head of Force Ops Author Business Continuity

More information

Internal Audit Report Disaster Recovery / Business Continuity Planning

Internal Audit Report Disaster Recovery / Business Continuity Planning Audit Committee, 28 November 2013 Internal Audit Report Disaster Recovery / Business Continuity Planning Executive summary and recommendations Introduction As part of the Internal Audit Plan for 2013-14,

More information

ENTERPRISE RISK M A NAGEMENT POLICY

ENTERPRISE RISK M A NAGEMENT POLICY Tablelands Regional Council ENTERPRISE RISK M A NAGEMENT POLICY Draft Final Policy No: PD 3.3.1 File ref: PD 3.3.1 Policy Section: INSURANCE AND RISK MANAGEMENT Version: 1 Date Adopted: 7 July 2010 Review

More information

IT REVIEW OF THE DISASTER RECOVERY ARRANGEMENTS

IT REVIEW OF THE DISASTER RECOVERY ARRANGEMENTS NOTTINGHAM CITY HOMES IT REVIEW OF THE DISASTER RECOVERY ARRANGEMENTS Report issued: February 2011 Audit Plan: The matters raised in this report are only those that came to the attention of the auditor

More information

Bridgend County Borough Council. Corporate Risk Management Policy

Bridgend County Borough Council. Corporate Risk Management Policy Bridgend County Borough Council Corporate Risk Management Policy December 2014 Index Section Page No Introduction 3 Definition of risk 3 Aims and objectives 4 Strategy 4 Accountabilities and roles 5 Risk

More information

Audit Committee, 13 March 2013. Internal Audit Report Project Management. Executive summary and recommendations. Introduction

Audit Committee, 13 March 2013. Internal Audit Report Project Management. Executive summary and recommendations. Introduction Audit Committee, 13 March 2013 Internal Audit Report Project Management Executive summary and recommendations Introduction Mazars has undertaken a review of the arrangements for project management in accordance

More information

NHS ISLE OF WIGHT CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY POLICY

NHS ISLE OF WIGHT CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY POLICY NHS ISLE OF WIGHT CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY POLICY AUTHOR/ APPROVAL DETAILS Document Author Written By: Human Resources Authorised Signature Authorised By: Helen Shields Date: 20

More information

Dacorum Borough Council Final Internal Audit Report. IT Business Continuity and Disaster Recovery

Dacorum Borough Council Final Internal Audit Report. IT Business Continuity and Disaster Recovery Dacorum Borough Council Final Internal Audit Report IT Business Continuity and Disaster Recovery Distribution list: Chris Gordon Group Manager Performance, Policy and Projects John Worts ICT Team Leader

More information

DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA REVIEW OF THE IT STRATEGY AND IMPLEMENTATION CONTROL FRAMEWORK

DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA REVIEW OF THE IT STRATEGY AND IMPLEMENTATION CONTROL FRAMEWORK Appendix 1b DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA REVIEW OF THE IT STRATEGY AND IMPLEMENTATION CONTROL FRAMEWORK DISTRIBUTION LIST Audit Team Steve Hutton, Head of

More information

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2 Policy Procedure Information security policy Policy number: 442 Old instruction number: MAN:F005:a1 Issue date: 24 August 2006 Reviewed as current: 11 July 2014 Owner: Head of Information & Communications

More information

Information Governance Strategy. Version No 2.0

Information Governance Strategy. Version No 2.0 Plymouth Community Healthcare CIC Information Governance Strategy Version No 2.0 Notice to staff using a paper copy of this guidance. The policies and procedures page of PCH Intranet holds the most recent

More information

Community and Built Environment Localities and Safer Communities Business Continuity Management Policy Andrew Fyfe

Community and Built Environment Localities and Safer Communities Business Continuity Management Policy Andrew Fyfe Community and Built Environment Localities and Safer Communities Business Continuity Management Policy Andrew Fyfe 4 Aug 14 Draft v4.4 TBC Resilience Team BCM Policy draft v4.4 1 4 Aug 2014 Statement of

More information

Compliance. Group Standard

Compliance. Group Standard Group Standard Compliance Serco is committed to good governance practices and the management of risks supported by a robust business compliance process SMS-GS-G2 Compliance July 2014 v1.0 Serco Public

More information

West Midlands Police and Crime Commissioner Records Management Policy 1 Contents

West Midlands Police and Crime Commissioner Records Management Policy 1 Contents West Midlands Police and Crime Commissioner Records Management Policy 1 Contents 1 CONTENTS...2 2 INTRODUCTION...3 2.1 SCOPE...3 2.2 OVERVIEW & PURPOSE...3 2.3 ROLES AND RESPONSIBILITIES...5 COMMISSIONED

More information

1.1 Terms of Reference Y P N Comments/Areas for Improvement

1.1 Terms of Reference Y P N Comments/Areas for Improvement 1 Scope of Internal Audit 1.1 Terms of Reference Y P N Comments/Areas for Improvement 1.1.1 Do Terms of Reference: a) Establish the responsibilities and objectives of IA? b) Establish the organisational

More information

RISK MANAGEMENT AND COMPLIANCE

RISK MANAGEMENT AND COMPLIANCE RISK MANAGEMENT AND COMPLIANCE Contents 1. Risk management system... 2 1.1 Legislation... 2 1.2 Guidance... 3 1.3 Risk management policy... 4 1.4 Risk management process... 4 1.5 Risk register... 8 1.6

More information

Internal Audit Progress Report Performance and Overview Committee (19 th August 2015) Cheshire Fire Authority

Internal Audit Progress Report Performance and Overview Committee (19 th August 2015) Cheshire Fire Authority Internal Audit Progress Report (19 th August 2015) Contents 1. Introduction 2. Key Messages for Committee Attention 3. Work in progress Appendix A: Risk Classification and Assurance Levels Appendix B:

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Version 1.1 Responsible Person Information Governance Manager Lead Director Head of Corporate Services Consultation Route Information Governance Steering Group Approval Route

More information

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER 3 APPLIES TO: ALL STAFF 4 COMMITTEE & DATE APPROVED: AUDIT COMMITTEE

More information

GLASGOW LIFE Review of Business Continuity Planning. Final Report

GLASGOW LIFE Review of Business Continuity Planning. Final Report Final Report INTERNAL AUDIT September 2011 Glasgow City Council Internal Audit 1 Table of Contents Section No Section Title 1 Introduction and Background 2 Audit Remit 3 Audit Opinion 4 Conclusions 5 Recommendations

More information

Policy Document Control Page

Policy Document Control Page Policy Document Control Page Title Title: Information Governance Policy Version: 5 Reference Number: CO44 Keywords: Information Governance Supersedes Supersedes: Version 4 Description of Amendment(s):

More information

Qualification details

Qualification details Qualification details Title New Zealand Diploma in Organisational Risk and Compliance (Level 6) Version 1 Qualification type Diploma Level 6 Credits 120 NZSCED 080317 Quality Management DAS classification

More information

REPORT 2016/035 INTERNAL AUDIT DIVISION

REPORT 2016/035 INTERNAL AUDIT DIVISION INTERNAL AUDIT DIVISION REPORT 2016/035 Audit of the use of consultants and individual contractors in the United Nations Stabilization Mission in Haiti Overall results relating to the effective hiring

More information

Avon & Somerset Police Authority

Avon & Somerset Police Authority Avon & Somerset Police Authority Internal Audit Report IT Service Desk FINAL REPORT Report Version: Date: Draft to Management: 19 February 2010 Management Response: 12 May 2010 Final: 13 May 2010 Distribution:

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Version: 4 Bodies consulted: Caldicott Guardian, IM&T Directors Approved by: MT Date Approved: 27/10/2015 Lead Manager: Governance Manager Responsible Director: SIRO Date

More information

SUBMITTED TO: NORFOLK AND SUFFOLK COLLABORATION PANEL - 3 SEPTEMBER 2014 ERP (ENTERPRISE RESOURCE PLANNING) PROJECT UPDATE

SUBMITTED TO: NORFOLK AND SUFFOLK COLLABORATION PANEL - 3 SEPTEMBER 2014 ERP (ENTERPRISE RESOURCE PLANNING) PROJECT UPDATE ORIGINATOR: CHIEF CONSTABLE PAPER NO: NS14/18 SUBMITTED TO: NORFOLK AND SUFFOLK COLLABORATION PANEL - 3 SEPTEMBER 2014 SUBJECT: ERP (ENTERPRISE RESOURCE PLANNING) PROJECT UPDATE SUMMARY: 1. The Collaboration

More information

Committees Date: Subject: Public Report of: For Information Summary

Committees Date: Subject: Public Report of: For Information Summary Committees Audit & Risk Management Committee Finance Committee Subject: Cyber Security Risks Report of: Chamberlain Date: 17 September 2015 22 September 2015 Public For Information Summary Cyber security

More information

Business Continuity Management Framework 2014 2017

Business Continuity Management Framework 2014 2017 Business Continuity Management Framework 2014 2017 Blackpool Council Business Continuity Framework V3.0 Page 1 of 13 CONTENTS 1.0 Forward 03 2.0 Administration 04 3.0 Policy 05 4.0 Business Continuity

More information

Outstanding, sector leading. Important strengths with some areas for improvement Strengths just outweigh weaknesses Important weaknesses

Outstanding, sector leading. Important strengths with some areas for improvement Strengths just outweigh weaknesses Important weaknesses APPENDIX 4 Finance and Corporate Support Executive Summary 1. Finance and Corporate Support Assessments 1.1 Overall performance is assessed as Very Good 1.2 Capacity for improvement is assessed as Very

More information

GUIDANCE NOTE FOR DEPOSIT-TAKERS. Operational Risk Management. March 2012

GUIDANCE NOTE FOR DEPOSIT-TAKERS. Operational Risk Management. March 2012 GUIDANCE NOTE FOR DEPOSIT-TAKERS Operational Risk Management March 2012 Version 1.0 Contents Page No 1 Introduction 2 2 Overview 3 Operational risk - fundamental principles and governance 3 Fundamental

More information

Internal controls Guidance for trustees

Internal controls Guidance for trustees Regulatory code of practice no. 9 Internal controls Guidance for trustees Contents Paragraph Page 1 Introduction 3 5 The status of codes of practice 3 6 Other regulatory requirements 3 7 Terminology 4

More information

Information Governance Strategy

Information Governance Strategy Information Governance Strategy To whom this document applies: All Trust staff, including agency and contractors Procedural Documents Approval Committee Issue Date: January 2010 Version 1 Document reference:

More information

Information Commissioner's Office

Information Commissioner's Office Phil Keown Engagement Lead T: 020 7728 2394 E: philip.r.keown@uk.gt.com Will Simpson Associate Director T: 0161 953 6486 E: will.g.simpson@uk.gt.com Information Commissioner's Office Internal Audit 2015-16:

More information

Statement of responsibilities of auditors and audited bodies: Local authorities, NHS bodies and small authorities.

Statement of responsibilities of auditors and audited bodies: Local authorities, NHS bodies and small authorities. Statement of responsibilities of auditors and audited bodies: Local authorities, NHS bodies and small authorities. 1. This statement serves as the formal terms of engagement between appointed auditors

More information

Information Commissioner's Office

Information Commissioner's Office Information Commissioner's Office IT Procurement Review Ian Falconer Partner T: 0161 953 6480 E: ian.falconer@uk.gt.com Last updated 18 June 2012 Will Simpson Senior Manager T: 0161 953 6486 E: will.g.simpson@uk.gt.com

More information

Office of the Police and Crime Commissioner for Avon and Somerset and Avon and Somerset Constabulary

Office of the Police and Crime Commissioner for Avon and Somerset and Avon and Somerset Constabulary Office of the Police and Crime Commissioner for Avon and Somerset and Avon and Somerset Constabulary Internal Audit Report () FINAL Risk Management: Follow Up of Previous Internal Audit Recommendations

More information

Internal Audit Report Business Continuity Planning Arrangements

Internal Audit Report Business Continuity Planning Arrangements The Highland Council Community Services Committee 6 November 2014 Agenda Item Report No 19 COM 45/14 Internal Audit Report Planning Arrangements Report by Director of Community Services Summary This report

More information

Aberdeen City Council IT Disaster Recovery

Aberdeen City Council IT Disaster Recovery Aberdeen City Council IT Disaster Recovery Internal Audit Report 2014/2015 for Aberdeen City Council January 2015 Terms or reference agreed 4 weeks prior to fieldwork Target Dates per agreed Actual Dates

More information

University of Sunderland Business Assurance Information Security Policy

University of Sunderland Business Assurance Information Security Policy University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant

More information

Risk Management Policy and Process Guide

Risk Management Policy and Process Guide Risk Management Policy and Process Guide Status: pending Next review date: December 2015 Page 1 Information Reader Box Directorate Medical Nursing Patients & Information Commissioning Operations (including

More information

Inspection Wales Remit Paper

Inspection Wales Remit Paper Inspection Wales Remit Paper A summary of the remits of the Welsh public sector audit and inspection bodies and the Inspection Wales Programme Issued: July 2015 Document reference: 376A2015 Contents Summary

More information

Asset Management Systems Scheme (AMS Scheme)

Asset Management Systems Scheme (AMS Scheme) Joint Accreditation System of Australia and New Zealand Scheme (AMS Scheme) Requirements for bodies providing audit and certification of 13 April 2015 Authority to Issue Dr James Galloway Chief Executive

More information

Administrative Data Quality Assurance Toolkit

Administrative Data Quality Assurance Toolkit Administrative Data Quality Assurance Toolkit Version 1 January 2015 1 Administrative Data Quality Assurance Toolkit This toolkit is intended to help statistical assessors review the areas of practice

More information

High Assurance Overall, very good management of risk. An effective control environment appears to be in operation.

High Assurance Overall, very good management of risk. An effective control environment appears to be in operation. ANNEX 1 AUDITS COMPLETED AND REPORTS ISSUED The following categories of opinion are used for audit reports. Level of High Overall, very good management of risk. An effective control environment appears

More information

A Framework of Quality Assurance for Responsible Officers and Revalidation

A Framework of Quality Assurance for Responsible Officers and Revalidation A Framework of Quality Assurance for Responsible Officers and Revalidation Supporting responsible officers and designated bodies in providing assurance that they are discharging their statutory responsibilities.

More information

SCRUTINY COMMITTEE ITEM 04 28 MARCH 2012

SCRUTINY COMMITTEE ITEM 04 28 MARCH 2012 SCRUTINY COMMITTEE ITEM 04 28 MARCH 2012 INTERNAL AUDIT PLAN Report of the: Director of Finance Contact: John Turnbull or Gillian McTaggart Urgent Decision?(yes/no) No If yes, reason urgent decision required:

More information

At its meeting in March 2012, the Committee approved the Internal Audit Plan for 2012-13.

At its meeting in March 2012, the Committee approved the Internal Audit Plan for 2012-13. Audit Committee 28 Internal audit report ICT Security Executive summary and recommendations Introduction Mazars has undertaken a review of ICT Security controls, in accordance with the internal audit plan

More information

Appendix C Accountant in Bankruptcy. Annual report on the 2013/14 audit

Appendix C Accountant in Bankruptcy. Annual report on the 2013/14 audit Appendix C Accountant in Bankruptcy Annual report on the 2013/14 audit Prepared for Accountant in Bankruptcy and the Auditor General for Scotland 6 August 2014 Audit Scotland is a statutory body set up

More information

INFORMATION GOVERNANCE STRATEGY

INFORMATION GOVERNANCE STRATEGY INFORMATION GOVERNANCE STRATEGY Page 1 of 10 Strategy Owner Valerie Penn, Head of Governance Strategy Author Caroline Law, Information Governance Project Manager Directorate Corporate Governance Ratifying

More information

SOUTH LAKELAND DISTRICT COUNCIL INTERNAL AUDIT FINAL REPORT ACCOUNTING SYSTEM AND GENERAL LEDGER

SOUTH LAKELAND DISTRICT COUNCIL INTERNAL AUDIT FINAL REPORT ACCOUNTING SYSTEM AND GENERAL LEDGER SOUTH LAKELAND DISTRICT COUNCIL 12-08 INTERNAL AUDIT FINAL REPORT ACCOUNTING SYSTEM AND GENERAL LEDGER Executive Summary Introduction The Council s Integra financial information and accounting system is

More information

RISK AND COMPLIANCE COMMITTEE CHARTER

RISK AND COMPLIANCE COMMITTEE CHARTER 1. GENERAL SCOPE AND AUTHORITY 1.1 Introduction This charter governs the operations of the Risk & Compliance Committee of Redflex Holdings Limited (RHL or Company). 1.2 Purpose The Risk & Compliance Committee

More information

ANNEXURE D 2. OBJECTIVE

ANNEXURE D 2. OBJECTIVE OVERSIGHT REPORT OF THE CITY OF JOHANNESBURG GROUP AUDIT COMMITTEE ON THE MONITORING OF THE 30 JUNE 2014 STATUTORY YEAR END AUDIT, THE EVALUATION OF THE FINAL AUDITED ANNUAL FINANCIAL STATEMENTS, THE AUDITOR

More information

Governance, Risk and Best Value Committee

Governance, Risk and Best Value Committee Governance, Risk and Best Value Committee 2.00pm, Wednesday 23 September 2015 Internal Audit Report: Integrated Health & Social Care Item number Report number Executive/routine Wards Executive summary

More information

Business Continuity Policy and Business Continuity Management System

Business Continuity Policy and Business Continuity Management System Business Continuity Policy and Business Continuity Management System Summary: This policy sets out the structure for ensuring that the PCT has effective Business Continuity Plans in place in order to maintain

More information

Lancashire County Council Information Governance Framework

Lancashire County Council Information Governance Framework Appendix 'A' Lancashire County Council Information Governance Framework Introduction Information Governance provides a framework for bringing together all of the requirements, standards and best practice

More information

APPLICABLE TO: Flow Systems Group and all employees. Risk Management

APPLICABLE TO: Flow Systems Group and all employees. Risk Management PURPOSE: Flow Systems is committed to managing its risks and ensuring compliance with all relevant laws and regulations in a proactive, on-going and positive manner. This document outlines Flow s Risk

More information

2 Matters to report from internal audit work completed during the period

2 Matters to report from internal audit work completed during the period 1 Introduction Appendix A 1.1 This report summarises the work undertaken during the nine months of the year to 31 December 2011 by the council's Internal Audit Service under the internal audit plan for

More information

Appendix 6c. Final Internal Audit Report Disaster Recovery Planning. June 2007. Report 6c Page 1 of 15

Appendix 6c. Final Internal Audit Report Disaster Recovery Planning. June 2007. Report 6c Page 1 of 15 Appendix 6c Final Internal Audit Report Disaster Recovery Planning June 2007 Report 6c Page 1 of 15 Contents Page Executive Summary 3 Observations and Recommendations 8 Appendix 1 - Audit Framework 13

More information

Business Continuity Policy

Business Continuity Policy Business Continuity Policy 1 NHS England INFORMATION READER BOX Directorate Medical Commissioning Operations Patients and Information Nursing Trans. & Corp. Ops. Commissioning Strategy Finance Publications

More information

REPORT 2015/112 INTERNAL AUDIT DIVISION

REPORT 2015/112 INTERNAL AUDIT DIVISION INTERNAL AUDIT DIVISION REPORT 2015/112 Audit of information and communication technology hosting services provided by third parties to the Office of the United Nations High Commissioner for Refugees Overall

More information

The Annual Audit Letter for West Mercia Police and Crime Commissioner and Chief Constable

The Annual Audit Letter for West Mercia Police and Crime Commissioner and Chief Constable The Annual Audit Letter for West Mercia Police and Crime Commissioner and Chief Constable Year ended 31 March 2015 October 2015 John Gregory Director and Engagement Lead T +44 (0)121 232 5333 E john.gregory@uk.gt.com

More information

Guideline for Roles & Responsibilities in Information Asset Management

Guideline for Roles & Responsibilities in Information Asset Management ISO 27001 Implementer s Forum Guideline for Roles & Responsibilities in Information Asset Management Document ID ISMS/GL/ 003 Classification Internal Use Only Version Number Initial Owner Issue Date 07-08-2009

More information

Auditor General s Office. Governance and Management of City Computer Software Needs Improvement

Auditor General s Office. Governance and Management of City Computer Software Needs Improvement Auditor General s Office Governance and Management of City Computer Software Needs Improvement Transmittal Report Audit Report Management s Response Jeffrey Griffiths, C.A., C.F.E Auditor General, City

More information

Version: 3.0. Effective From: 19/06/2014

Version: 3.0. Effective From: 19/06/2014 Policy No: RM66 Version: 3.0 Name of Policy: Business Continuity Planning Policy Effective From: 19/06/2014 Date Ratified 05/06/2014 Ratified Business Service Development Committee Review Date 01/06/2016

More information

RISK MANAGEMENT FRAMEWORK. 2 RESPONSIBLE PERSON: Sarah Price, Chief Officer

RISK MANAGEMENT FRAMEWORK. 2 RESPONSIBLE PERSON: Sarah Price, Chief Officer RISK MANAGEMENT FRAMEWORK 1 SUMMARY The Risk Management Framework consists of the following: Risk Management policy Risk Management strategy Risk Management accountability Risk Management framework structure.

More information

Information Governance Strategy. Version No 2.1

Information Governance Strategy. Version No 2.1 Livewell Southwest Information Governance Strategy Version No 2.1 Notice to staff using a paper copy of this guidance. The policies and procedures page of LSW Intranet holds the most recent version of

More information

Outsourcing Risk Guidance Note for Banks

Outsourcing Risk Guidance Note for Banks Outsourcing Risk Guidance Note for Banks Part 1: Definitions Guideline 1 For the purposes of these guidelines, the following is meant by: a) outsourcing: an authorised entity s use of a third party (the

More information

INTERNAL AUDIT CHARTER AND TERMS OF REFERENCE

INTERNAL AUDIT CHARTER AND TERMS OF REFERENCE INTERNAL AUDIT CHARTER AND TERMS OF REFERENCE CHARTERED INSTITUTE OF INTERNAL AUDIT DEFINITION OF INTERNAL AUDIT Internal auditing is an independent, objective assurance and consulting activity designed

More information

Aberdeen City Council IT Asset Management

Aberdeen City Council IT Asset Management Aberdeen City Council IT Asset Management Internal Audit Report 2014/2015 for Aberdeen City Council January 2015 Terms or reference agreed 4 weeks prior to fieldwork Target Dates per agreed Actual Dates

More information

PROJECT MANAGEMENT FRAMEWORK

PROJECT MANAGEMENT FRAMEWORK PROJECT MANAGEMENT FRAMEWORK DOCUMENT INFORMATION DOCUMENT TYPE: DOCUMENT STATUS: POLICY OWNER POSITION: INTERNAL COMMITTEE ENDORSEMENT: APPROVED BY: Strategic document Approved Executive Assistant to

More information

Dacorum Borough Council Final Internal Audit Report

Dacorum Borough Council Final Internal Audit Report Dacorum Borough Council Final Internal Audit Report ICT Change Management Distribution list: Chris Gordon Group Manager Neil Telkman - Information, Security and Standards Officer Gary Osler ICT Service

More information

ICT Internal Audit Strategy 2009-10 to 2011-12. Report by the Head of Finance

ICT Internal Audit Strategy 2009-10 to 2011-12. Report by the Head of Finance Audit Committee 24 September 2009 Item No. 12 ICT Internal Audit Strategy 2009-10 to 2011-12 Report by the Head of Finance This report introduces the ICT Internal Audit Strategy and asks the Audit Committee

More information

AUDIT REPORT. Corporate Access and Identity Management Project Audit Opinion: Satisfactory. July 31, 2015

AUDIT REPORT. Corporate Access and Identity Management Project Audit Opinion: Satisfactory. July 31, 2015 AUDIT REPORT Corporate Access and Identity Management Project Audit Opinion: Satisfactory July 31, 2015 Report Number: 2015-IT-02 Corporate Access and Identity Management Project Table of Contents: Page

More information

Sickness Reporting Audit Final Report

Sickness Reporting Audit Final Report ITEM 7 APPENDIX B(2) Sickness Reporting Audit Report Michael George Auditor Contact Details 07768 635682 Date of Review November 2013 Draft Report Issued 19 December 2013 Report Issued 14 January 2014

More information

Crime Statistics Data Security Standards. Office of the Commissioner for Privacy and Data Protection

Crime Statistics Data Security Standards. Office of the Commissioner for Privacy and Data Protection Crime Statistics Data Security Standards Office of the Commissioner for Privacy and Data Protection 2015 Document details Security Classification Dissemination Limiting Marker Dissemination Instructions

More information

SAI GLOBAL LIMITED Risk Management Policy

SAI GLOBAL LIMITED Risk Management Policy SAI GLOBAL LIMITED Risk Management Policy SAI Global Ltd ABN 67050611642 Last Updated: February 2012 Contents 1. Risk Management... 3 2. Policy... 3 3. Risk Management Philosophy... 3 4. Risk Appetite...

More information

NOT PROTECTIVELY MARKED. Yes. Disciplinary Policy and Procedures (POLICE STAFF) POLICY REFERENCE NUMBER VERSION 1.0

NOT PROTECTIVELY MARKED. Yes. Disciplinary Policy and Procedures (POLICE STAFF) POLICY REFERENCE NUMBER VERSION 1.0 POLICY Security Classification Disclosable under Freedom of Information Act 2000 Yes POLICY TITLE Disciplinary Policy and Procedures (POLICE STAFF) POLICY REFERENCE NUMBER A050 VERSION 1.0 POLICY OWNERSHIP

More information

Bedfordshire Fire and Rescue Authority Corporate Services Policy and Challenge Group 16 September 2015 Item No. 11

Bedfordshire Fire and Rescue Authority Corporate Services Policy and Challenge Group 16 September 2015 Item No. 11 For Publication REPORT AUTHOR(S): Bedfordshire Fire and Rescue Authority Corporate Services Policy and Challenge Group 16 September 2015 Item No. 11 ASSISTANT CHIEF OFFICER (HUMAN RESOURCES AND ORGANISATIONAL

More information

Group Risk Management Policy

Group Risk Management Policy Group Risk Management Policy Originator: Approval date: Policy and Strategy Team Sovini Board PCHA Board OVH Board/EMT 6 th December 2013 31 st October 2013 14 th October 2013 Review date: December 2014

More information

Comhairle nan Eilean Siar Internal Audit Review DISASTER RECOVERY. Final Report 12/13-20

Comhairle nan Eilean Siar Internal Audit Review DISASTER RECOVERY. Final Report 12/13-20 Comhairle nan Eilean Siar Internal Audit Review Final Report 12/13-20 8 th January 2013 CONTENTS Page SECTION 1 - EXECUTIVE SUMMARY 1-3 SECTION 2 - DETAILED FINDINGS AND RECOMMENDATIONS 4-9 SECTION 3 -

More information

14 December 2006 GUIDELINES ON OUTSOURCING

14 December 2006 GUIDELINES ON OUTSOURCING 14 December 2006 GUIDELINES ON OUTSOURCING CEBS presents its Guidelines on Outsourcing. The proposed guidelines are based on current practices and also take into account international, such as the Joint

More information

La Trobe University is committed to maintaining a comprehensive and effective Compliance Framework.

La Trobe University is committed to maintaining a comprehensive and effective Compliance Framework. La Trobe University Compliance Framework Introduction The Compliance Framework documents the system and Compliance Process through which La Trobe University can monitor, review and comply with its legislative

More information

Employee Performance Management Policy

Employee Performance Management Policy Employee Performance Management Policy Contents 1. Policy Statement... 2 2. Scope... 2 3. Roles and Responsibilities... 3 4. Competency Based Performance Management... 4 5. Corporate and Service Priorities

More information

The Risk Management strategy sets out the framework that the Council has established.

The Risk Management strategy sets out the framework that the Council has established. Derbyshire County Council Management Policy Statement The Authority adopts a proactive approach to Management to achieve Best Value and continuous improvement and is committed to the effective management

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Version Version 1 Ratified By Date Ratified PROPOSED FOR APPROVAL 15/11/12 Author(s) Responsible Committee / Officers Date Issue November 2012 Review Date November 2013 Intended

More information

Business Continuity Management Policy

Business Continuity Management Policy Business Continuity Management Policy Business Continuity Policy Version 1.0 1 Version control Version Date Changes Author 0.1 April 13 1 st draft PH 0.2 June 13 Amendments in line with guidance PH 0.3

More information